# maximum file upload size (keep up to date when changing the corresponding site setting) client_max_body_size 10m; # path to discourse's public directory set $public __FINALPATH__/public/; # without weak etags we get zero benefit from etags on dynamically compressed content # further more etags are based on the file in nginx not sha of data # use dates, it solves the problem fine even cross server etag off; # prevent direct download of backups location ^~ __PATH__/backups/ { internal; } # bypass rails stack with a cheap 204 for favicon.ico requests location __PATH__/favicon.ico { return 204; access_log off; log_not_found off; } location __PATH__ { alias __FINALPATH__/public/; add_header ETag ""; if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } # auth_basic on; # auth_basic_user_file /etc/nginx/htpasswd; # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; location ~* (assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico)$ { expires 1y; add_header Cache-Control public,immutable; add_header Access-Control-Allow-Origin *; } location = __PATH__/srv/status { access_log off; log_not_found off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Request-Start "t=${msec}"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock; break; } # some minimal caching here so we don't keep asking # longer term we should increas probably to 1y location ~ ^/javascripts/ { expires 1d; add_header Cache-Control public,immutable; } location ~ ^/assets/(?.+)$ { expires 1y; # asset pipeline enables this # brotli_static on; gzip_static on; add_header Cache-Control public,immutable; # HOOK in asset location (used for extensibility) # TODO I don't think this break is needed, it just breaks out of rewrite break; } location ~ ^/plugins/ { expires 1y; add_header Cache-Control public,immutable; } # cache emojis location ~ /images/emoji/ { expires 1y; add_header Cache-Control public,immutable; } location ~ ^/uploads/ { # NOTE: it is really annoying that we can't just define headers # at the top level and inherit. # # proxy_set_header DOES NOT inherit, by design, we must repeat it, # otherwise headers are not set correctly proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Request-Start "t=${msec}"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Sendfile-Type X-Accel-Redirect; proxy_set_header X-Accel-Mapping __FINALPATH__/public/=/downloads/; expires 1y; add_header Cache-Control public,immutable; ## optional upload anti-hotlinking rules #valid_referers none blocked mysite.com *.mysite.com; #if ($invalid_referer) { return 403; } # custom CSS location ~ /stylesheet-cache/ { try_files $uri =404; } # this allows us to bypass rails location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|svg|ico|webp)$ { try_files $uri =404; } # thumbnails & optimized images location ~ /_?optimized/ { try_files $uri =404; } proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock; break; } location ~ ^/admin/backups/ { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Request-Start "t=${msec}"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Sendfile-Type X-Accel-Redirect; proxy_set_header X-Accel-Mapping __FINALPATH__/public/=/downloads/; proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock; break; } # This big block is needed so we can selectively enable # acceleration for backups and avatars # see note about repetition above location ~ ^/(letter_avatar/|user_avatar|highlight-js|stylesheets|favicon/proxied|service-worker) { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Request-Start "t=${msec}"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; # if Set-Cookie is in the response nothing gets cached # this is double bad cause we are not passing last modified in proxy_ignore_headers "Set-Cookie"; proxy_hide_header "Set-Cookie"; # note x-accel-redirect can not be used with proxy_cache # proxy_cache one; proxy_cache_valid 200 301 302 7d; proxy_cache_valid any 1m; proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock; break; } # location /letter_avatar_proxy/ { # # Don't send any client headers to the avatars service # proxy_method GET; # proxy_pass_request_headers off; # proxy_pass_request_body off; # # # Don't let cookies interrupt caching, and don't pass them to the # # client # proxy_ignore_headers "Set-Cookie"; # proxy_hide_header "Set-Cookie"; # # proxy_cache one; # proxy_cache_key $uri; # proxy_cache_valid 200 7d; # proxy_cache_valid 404 1m; # proxy_set_header Connection ""; # # proxy_pass https://avatars.discourse.org/; # break; # } # we need buffering off for message bus location __PATH__/message-bus/ { proxy_set_header X-Request-Start "t=${msec}"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_http_version 1.1; proxy_buffering off; proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock; break; } # this means every file in public is tried first try_files $uri @__NAME__; } location __PATH__/downloads/ { internal; alias __FINALPATH__/public/; } location @__NAME__ { add_header Referrer-Policy 'no-referrer-when-downgrade'; proxy_set_header Host $http_host; proxy_set_header X-Request-Start "t=${msec}"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_pass http://unix:__FINALPATH__/tmp/sockets/puma.sock; }